svn commit: r477823 - head/security/vuxml
Dan Langille
dan at langille.org
Wed Aug 22 21:24:28 UTC 2018
> On Aug 22, 2018, at 4:32 PM, Matthew Seaman <matthew at FreeBSD.org> wrote:
>
> Author: matthew
> Date: Wed Aug 22 20:32:50 2018
> New Revision: 477823
> URL: https://svnweb.freebsd.org/changeset/ports/477823
>
> Log:
> Document the latest phpMyAdmin security advisory PMASA-2018-5
>
> Modified:
> head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> ==============================================================================
> --- head/security/vuxml/vuln.xml Wed Aug 22 20:32:03 2018 (r477822)
> +++ head/security/vuxml/vuln.xml Wed Aug 22 20:32:50 2018 (r477823)
> @@ -58,6 +58,37 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> + <vuln vid="9e205ef5-a649-11e8-b1f6-6805ca0b3d42">
> + <topic>phpmyadmin -- XSS in the import dialog</topic>
> + <affects>
> + <package>
> + <name>phpmyadmin</name>
I am not sure this will correctly flag the affected packages.
1 - the package name is more like phpMyAdmin-PHP VERSION
It was once just phpMyAdmin which was easy for a vuxml entry.
Recently, it changed to include PKGNAMESUFFIX= ${PHP_PKGNAMESUFFIX} (blame mat with revision 466558):
https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annotate=473096#l11 <https://svnweb.freebsd.org/ports/head/databases/phpmyadmin/Makefile?annotate=473096#l11>
My idea for fixing: add name entries for:
* phpMyAdmin
* phpMyAdmin-php56
* phpMyAdmin-php(all the other versions)
Does this make sense?
reference data below:
freshports.dev=# select package_name, element_pathname(element_id) from ports_active where name = 'phpmyadmin';
package_name | element_pathname
------------------+---------------------------------------------
phpMyAdmin-php56 | /ports/head/databases/phpmyadmin
phpMyAdmin | /ports/branches/2016Q4/databases/phpmyadmin
phpMyAdmin | /ports/branches/2017Q1/databases/phpmyadmin
phpMyAdmin | /ports/branches/2018Q1/databases/phpmyadmin
phpMyAdmin-php56 | /ports/branches/2018Q2/databases/phpmyadmin
(5 rows)
freshports.dev=#
> + <range><lt>4.8.3</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>The phpMyAdmin development team reports:</p>
> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-5/">
> + <h3>Description</h3>
> + <p>A Cross-Site Scripting vulnerability was found in the
> + file import feature, where an attacker can deliver a payload
> + to a user through importing a specially-crafted file.</p>
> + <h3>Severity</h3>
> + <p>We consider this attack to be of moderate severity.</p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <url>https://www.phpmyadmin.net/security/PMASA-2018-5/</url>
> + <cvename>CVE-2018-15605</cvename>
> + </references>
> + <dates>
> + <discovery>2018-08-21</discovery>
> + <entry>2018-08-22</entry>
> + </dates>
> + </vuln>
> +
> <vuln vid="fe99d3ca-a63a-11e8-a7c6-54e1ad3d6335">
> <topic>libX11 -- Multiple vulnerabilities</topic>
> <affects>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20180822/02aa88eb/attachment.sig>
More information about the svn-ports-all
mailing list